[Smcwg-public] [External Sender] Re: OrganizationIdentifier for Gov and Treaty Orgs
Juan Ángel Martín
martin_ja at camerfirma.com
Wed Aug 10 07:05:16 UTC 2022
Hello,
The use of ‘GE’ (Government Entity) followed by the character ‘:’ (colon) instead of the use of ‘GOV’ would be compliant with the European Regulation UE 910/2014.
Option:
* For Government Entities, the CA SHALL enter the Registration Scheme identifier ‘GE’ followed by the 2 character ISO 3166 country code for the nation in which the Government Entity is located. If the Government Entity is verified at a subdivision (state or province) level, then a plus "+" (0x2B (ASCII), U+002B (UTF-8)) followed by a 2 character ISO 3166-2 identifier for the subdivision is added.
The European Regulation defines into the European Norm ETSI EN 319 412-1 the semantic for the organizationIdentifier for natural and legal persons.
The legal person semantic is defined as:
5.1.4 Legal person semantics identifier
The semantics of id-etsi-qcs-SemanticsId-Legal shall be as follows.
When the legal person semantics identifier is included, any present organizationIdentifier attribute in the subject
field shall contain information using the following structure in the presented order:
• 3 character legal person identity type reference;
• 2 character ISO 3166-1 [2] country code;
• hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); and
• identifier (according to country and identity type reference).
The three initial characters shall have one of the following defined values:
1) "VAT" for identification based on a national value added tax identification number.
2) "NTR" for identification based on an identifier from a national trade register.
3) "PSD" for identification based on national authorization number of a payment service provider under
Payments Services Directive (EU) 2015/2366 [i.13]. This shall use the extended structure as defined in ETSI TS 119 495 [3], clause 5.2.1.
4) "LEI" for a global Legal Entity Identifier as specified in ISO 17442 [4]. The 2 character ISO 3166-1 [2] country code shall be set to 'XG'.
5) Two characters according to local definition within the specified country and name registration authority, identifying a national scheme that is considered appropriate for national and European level, followed by the character ":" (colon).
Other initial character sequences are reserved for future amendments of the present document. In case "VAT" legal person identity type reference is used in combination with the "EU" transnational country code, the identifier value should comply with Council Directive 2006/112/EC [i.12], article 215.
EXAMPLES: "VATBE-0876866142" and "EI:SE-5567971433".
When a locally defined identity type reference is provided (two characters followed by ":"), the nameRegistrationAuthorities element of SemanticsInformation (IETF RFC 3739 [1]) shall be present and shall contain at least a uniformResourceIdentifier generalName. The two letter identity type reference following the ":" character shall be unique within the context of the specified uniformResourceIdentifier.
Best Regards
Juan Ángel
De: Smcwg-public <smcwg-public-bounces at cabforum.org> En nombre de Stephen Davidson via Smcwg-public
Enviado el: martes, 9 de agosto de 2022 15:27
Para: Corey Bonnell <Corey.Bonnell at digicert.com>; SMIME Certificate Working Group <smcwg-public at cabforum.org>; Tim Hollebeek <tim.hollebeek at digicert.com>; Adriano Santoni <adriano.santoni at staff.aruba.it>
Asunto: Re: [Smcwg-public] [External Sender] Re: OrganizationIdentifier for Gov and Treaty Orgs
Currently the text in 7.1.4.2.2 (d) says:
Note 2: For the following types of entities that do not have an identifier from the Registration Schemes listed in Appendix A<https://github.com/cabforum/smime/blob/preSBR/SBR.md#appendix-a---registration-schemes>:
* For Government Entities, the CA SHALL enter the text `Government Entity`.
* For International Organization Entities, the CA SHALL enter the text `International Organization Entity`. An International Organization Entity is founded by a constituent document, e.g., a charter, treaty, convention or similar document, signed by, or on behalf of, a minimum of two Sovereign State governments.
An option would be to change that text to:
Note 2: For the following types of entities that do not have an identifier from the Registration Schemes listed in Appendix A<https://github.com/cabforum/smime/blob/preSBR/SBR.md#appendix-a---registration-schemes>:
* For Government Entities, the CA SHALL enter the Registration Scheme identifier ‘GOV’ followed by the 2 character ISO 3166 country code for the nation in which the Government Entity is located. If the Government Entity is verified at a subdivision (state or province) level, then a plus "+" (0x2B (ASCII), U+002B (UTF-8)) followed by a 2 character ISO 3166-2 identifier for the subdivision is added.
* For International Organization Entities, the CA SHALL enter the Registration Scheme identifier ‘INTORG’ followed by the ISO 3166 code "XG". An International Organization Entity is founded by a constituent document, e.g., a charter, treaty, convention or similar document, signed by, or on behalf of, a minimum of two Sovereign State governments.
For example:
* GOVUS (Government Entity, United States)
* GOVUS+CA (Government Entity, United States - California)
* INTORGXG (International Organization)
Thoughts?
Regards, Stephen
From: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> On Behalf Of Corey Bonnell via Smcwg-public
Sent: Tuesday, August 9, 2022 8:11 AM
To: Tim Hollebeek <tim.hollebeek at digicert.com<mailto:tim.hollebeek at digicert.com>>; SMIME Certificate Working Group <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>; Adriano Santoni <adriano.santoni at staff.aruba.it<mailto:adriano.santoni at staff.aruba.it>>
Subject: Re: [Smcwg-public] [External Sender] Re: OrganizationIdentifier for Gov and Treaty Orgs
We use “XG” to denote a Registration Scheme that is employed globally. Perhaps we can co-opt that for International Orgs.
From: Tim Hollebeek <tim.hollebeek at digicert.com<mailto:tim.hollebeek at digicert.com>>
Sent: Friday, August 5, 2022 11:27 AM
To: Corey Bonnell <Corey.Bonnell at digicert.com<mailto:Corey.Bonnell at digicert.com>>; SMIME Certificate Working Group <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>; Adriano Santoni <adriano.santoni at staff.aruba.it<mailto:adriano.santoni at staff.aruba.it>>
Subject: RE: [Smcwg-public] [External Sender] Re: OrganizationIdentifier for Gov and Treaty Orgs
This is an interesting idea, and I like the fact that the disambiguation information is in a defined format and in a place that’s consistent with how we handle “normal” organizations, but how would it be extended to work for international organizations? Just use something like “INTORG” for them? Or do we require naming of at least one valid jurisdictions (the requirements require two, so one is always available), like “INTORG+US”? Do we care that NORAD could be encoded as “INTORG+CA” as well, violating encoding uniqueness? Do we go for “INTORG+US,CA” (probably not, the orgIDs are complicated enough already).
I think just “INTORG” is probably fine, as hopefully names of international organizations are more likely to be globally unique, unlike things like “Ministry of Finance” which is likely to exist in many countries and needs disambiguation.
-Tim
From: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> On Behalf Of Corey Bonnell via Smcwg-public
Sent: Friday, August 5, 2022 9:21 AM
To: Adriano Santoni <adriano.santoni at staff.aruba.it<mailto:adriano.santoni at staff.aruba.it>>; SMIME Certificate Working Group <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>
Subject: Re: [Smcwg-public] [External Sender] Re: OrganizationIdentifier for Gov and Treaty Orgs
I agree there needs to disambiguating information contained within the certificate for these cases. However, mandating the use of the physical location attributes for this specific case would make the certificate profile more complex.
As an alternative approach, I suggest we define one or more orgID registration schemes and use the orgId attribute to convey the jurisdiction information. A few examples:
* A Government Entity located in Japan would have an orgID of “GOVJP”
* A Government Entity located in California, United States would have an orgID of “GOVUS+CA”
This will provide greater consistency in the certificate profile between those organizations which have registration numbers and those that do not.
Thanks,
Corey
From: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> On Behalf Of Adriano Santoni via Smcwg-public
Sent: Friday, August 5, 2022 3:04 AM
To: smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>
Subject: Re: [Smcwg-public] [External Sender] Re: OrganizationIdentifier for Gov and Treaty Orgs
I totally agree with Martijn Katerbarg.
Adriano
ACTALIS S.p.A.
Il 05/08/2022 09:02, Martijn Katerbarg via Smcwg-public ha scritto:
Should we at least subject:countryName to be present in these specific cases?
Otherwise, we could end up having certificates with a subject looking like this (OV):
subject:organizationName: Ministry of Finance
This leaves no way of telling for which country and entity this is. Possibly the email address tld could tell someone, but that shouldn’t be relied upon.
I’ve done a comparison with EV certificates. There are currently EV certificates out there with O=Ministry of Finance and SN=Government Entity, spanning 12 different country codes.
From: Smcwg-public <smcwg-public-bounces at cabforum.org><mailto:smcwg-public-bounces at cabforum.org> On Behalf Of Stephen Davidson via Smcwg-public
Sent: Thursday, 4 August 2022 16:49
To: smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>
Subject: [Smcwg-public] OrganizationIdentifier for Gov and Treaty Orgs
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello:
In recent calls the group discussed that some Government and International Organization entities may not have identifiers.
It was agreed to adopt a similar workaround to that provided in the EV Guidelines.
I have added text implementing that change as seen at https://github.com/cabforum/smime/pull/158/files<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fsmime%2Fpull%2F158%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0f411c93c7404dfc94a008da76288a32%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637952213783726589%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MZM2OTOjk5dUNo52UbgMZKk%2B5OSnE5l9SZvf7L0tYi8%3D&reserved=0>
Regards, Stephen
Stephen Davidson
Governance, Risk & Compliance
stephen.davidson at digicert.com<mailto:stephen.davidson at digicert.com>
O 1.441.278.2803 | M 1.441.505.4908
[DigiCert_QuoVadis Logo Lockups_Phase 1_EmailSignatures_Phase1]
_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org<mailto:Smcwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220810/729ba4a6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4581 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220810/729ba4a6/attachment-0001.png>
More information about the Smcwg-public
mailing list